[Full-disclosure] [ISecAuditors Security Advisories] - Reflected XSS vulnerability in Boxcryptor (www.boxcryptor.com)
= INTERNET SECURITY AUDITORS ALERT 2014-001 - Original release date: February 4, 2014 - Last revised: February 4, 2014 - Discovered by: Vicente Aguilera Diaz - Severity: 4.3/10 (CVSSv2 Base Scored) - CVE-ID: - = I. VULNERABILITY - Reflected XSS vulnerability in Boxcryptor (www.boxcryptor.com). II. BACKGROUND - Boxcryptor is an easy-to-use encryption software optimized for the cloud. It allows the secure use of cloud storage services without sacrificing comfort. Boxcryptor supports all major cloud storage providers (such as Dropbox, Google Drive, Microsoft SkyDrive, SugarSync) and supports all the clouds that use the WebDAV standard (such as Cubby, Strato HiDrive, and ownCloud). III. DESCRIPTION - Has been detected a XSS vulnerability in www.boxcryptor.com. Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites. Cross-site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user in the output it generates without validating or encoding it. An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by your browser and used with that site. These scripts can even rewrite the content of the HTML page. IV. PROOF OF CONCEPT - Next, we show a typical request to save changes in "My Account" option: POST /app/user/modify/ HTTP/1.1 Host: www.boxcryptor.com ... firstname=&lastname=&username=&_newsletter= where: - is a numeric user ID generated by boxcryptor - is the firstname specified by the user - is the lastname specified by the user - is the email address specified by the user A malicious user can inject arbitrary HTML/script code in the parameter. For example: POST /app/user/modify/3805739018726483071 HTTP/1.1 Host: www.boxcryptor.com ... firstname=John&lastname=Smith&username=johnsm...@gmail.comThis+is+a+XSS+example&_newsletter= V. BUSINESS IMPACT - An attacker can execute arbitrary HTML or script code in a targeted user's browser. This can leverage to steal sensitive information as user credentials, personal data, etc. VI. SYSTEMS AFFECTED - www.boxcryptor.com VII. SOLUTION - - VIII. REFERENCES - http://www.isecauditors.com http://www.owasp.org/index.php/Cross-site_Scripting_(XSS) IX. CREDITS - This vulnerability has been discovered by Vicente Aguilera Diaz (vaguilera (at) isecauditors (dot) com). X. REVISION HISTORY - February 4, 2014: Initial release XI. DISCLOSURE TIMELINE - February 4, 2014: Discovered by Internet Security Auditors February 6, 2014: Contact with the developer team February 10, 2014: Confirmed by vendor February 10, 2014: Vendor deployed a new version February 13, 2014: Internet Security Auditors release the advisory XII. LEGAL NOTICES - The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse of this information. XIII. ABOUT - Internet Security Auditors is a Spain based leader in web application testing, network security, penetration testing, security compliance implementation and assessing. Our clients include some of the largest companies in areas such as finance, telecommunications, insurance, ITC, etc. We are vendor independent provider with a deep expertise since 2001. Our efforts in R&D include vulnerability research, open security project collaboration and whitepapers, presentations and security events participation and promotion. For further information regarding our security services, contact us. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Critical security flaws in Nagios NRPE client/server crypto
in CC to: grok full disclosure, bugtraq TL;DR - DO NOT USE NRPE'S SSL IMPLEMENTATION! -- Dear Nagios developers, It's been a couple of years since I've had a look at NRPE, the remote monitoring agent distributed with Nagios. Back then we've exclusively used NRPE on unrouted dedicated monitoring vLANS. I've recently been implementing monitoring with Icinga2 and been looking up NRPE again. So I read through your source code and "documentation". Here's my impression of your work. - Cryptography - README.SSL: ``` The Encryption is done using a set encryption routine of AES-256 Bit Encryption using SHA and Anon-DH. This encrypts all traffic using the NRPE sockets from the client to the server. ``` This is simply not true. src/nrpe.c L259 and src/client_check.c L168: ``` SSL_CTX_set_cipher_list(ctx,"ADH"); ``` Setting the cipherstring to "ADH" allows for a multitude of possible cipherstrings, depending on the OpenSSL configuration on the system and the configuration shipped by the operating system distribution. Furthermore, a quick peek into the OpenSSL wiki [0] or any textbook [1] on the subject would have shown you that anonymous diffie hellman does not provide any kind of authentication, and is thus, vulnerable to (easily mounted) man-in-the-middle attacks. src/nrpe.c L256 and src/client_check.c L145: ``` SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); ``` You're excluding SSLv2 and SSLv3, still leaving two broken protocols in there: TLSv1.0 and TLSv1.1. README.SSL ``` Since we are using Anon-DH this allows for an encrypted SSL/TLS Connection without using pre-generated keys or certificates. The key generation information used by the program to dynaically create keys on daemon startup can be found in the dh.h file in the nrpe src directory. This file was created using the command: openssl dhparam -C 512 ``` 512bit DH has been broken _in_the_real_world_ for a couple of years. Current best practices recommend 3k+ [2]. Further more regenerating diffie-hellman parameters with autotools may not really improve security. As to the note on the developer not being sure if there would be restrictions on the export: Yes. If you live in oppressive regimes there are restrictions. i.e. for the US of A put a cryptography export notice there. The aforementioned implementation of "cryptography" does not provide any security other than security by obscurity. It's completely absurd and system administrators without proper knowledge might actually deploy this, without any warning on the security implications caused by a fisher-price-my-first-crypto implementation. The first lesson in any course on cryptography is always “do not implement yourself!”. - Code quality - As with the Nagios core, the overall code quality is just horrendous. I've not had time to check thoroughly but from just scrolling though I see a wide variety of format string vulnerabilities and bad coding practices. - Bashing doesn't help, after all it's FOSS, right? - I've patched some parts of the code to explicitly exclude anything else than TLSv1.2 and use a sane default cipher string loaded from a configuration file. But there's still much work to do to enable something with low overhead like ECDHE-ECDSA - because, yes, in this case, for good security you'll need certificate handling and proper implemented PKI. I'm not sure on how to proceed, I see the following three options: .) Do nothing and ignore security completely .) Completely remove the mentioned SSL code parts and only point to stunnel .) Implement proper PKI with current cryptography and update the project accordingly (I’d help with that - but I’m not sure if thats even reasonable) Sincerely, Aaron Zauner [0] - http://wiki.openssl.org/index.php/Diffie_Hellman [1] - https://www.schneier.com/book-ce.html [1] - https://www.cl.cam.ac.uk/~rja14/book.html [2] - http://www.keylength.com signature.asc Description: OpenPGP digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CVE-2012-2627 not *really* fixed
On version 11.01 of Sonicwall scrutinizer (downloaded at www.mysonicwall.com), it seems that the problem was not actually fixed? The open upload handler still exists, but it fails on the move_uploaded_file line because the directory that it attempts to move the file to (on linux at least) does not exist. https://gist.github.com/anonymous/8969165 -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] yahoo open redirect vulnerability full disclosur
Hi, Works with an Add url that's not expire, when the add is replaced with another one the exploit don't work, but nice vulnerability that you find. On Wed, Feb 12, 2014 at 10:04 AM, Jing Wang wrote: > Dear Sir/Madam, > > I am a student from NTU, Singapore. My name is Wang Jing. I just found a > yahoo open redirect vulnerability and reported it to yahoo 10 days ago. > > However, yahoo did nothing about it. > > > > The following is full disclosure. Attachment is prove of concept video. > And the link below is poc video I just posted on youtube. > http://www.youtube.com/watch?v=GTd1Gkj6OUY&feature=youtu.be > > > I just found one open url redirection vulnerability in yahoo. > > This attacks doesn't even need users to login yahoo. My test is on all > browsers in all computer systems. > > I use "poc of exploit" to denote that url redirection works. > > Now I will use a website just built by me for the following tests. The > website is "http://www.tetraph.com";. We can think this website is > malicious, because it is fully under my control. > > > vulnerable url: > > > http://ads.yahoo.com/clk?3,eJyti18LgjAUxb-QD246p4we5t8UZw0W4d50mKGGEYXZp09N.AT94J5zLvceYBCF9UtV2QgrZakSlgSYhrKLElVloemEEAPbEJuOhTQ6k0nIB789R9Rd9tToJV2pp3Frb8lHe9Z9cD-8KP-d3yxz6F.wnITGa56847z2B9qH1mMMmLu9RTHKxQlKkTSpqEEu6JOJsGMjuLKPbFPR3aQvGyZiJP0W5Hxr7jRN.wKrBU.A,http%3A%2F%2Fwww.facebook.com%2Fcampaign%2Flanding.php%3Fcampaign_id%3D127305407328718 > > > poc exploit: > > > http://ads.yahoo.com/clk?3,eJyti18LgjAUxb-QD246p4we5t8UZw0W4d50mKGGEYXZp09N.AT94J5zLvceYBCF9UtV2QgrZakSlgSYhrKLElVloemEEAPbEJuOhTQ6k0nIB789R9Rd9tToJV2pp3Frb8lHe9Z9cD-8KP-d3yxz6F.wnITGa56847z2B9qH1mMMmLu9RTHKxQlKkTSpqEEu6JOJsGMjuLKPbFPR3aQvGyZiJP0W5Hxr7jRN.wKrBU.A,http%3A%2F%2Fwww.google.com > > > http://ads.yahoo.com/clk?3,eJyti18LgjAUxb-QD246p4we5t8UZw0W4d50mKGGEYXZp09N.AT94J5zLvceYBCF9UtV2QgrZakSlgSYhrKLElVloemEEAPbEJuOhTQ6k0nIB789R9Rd9tToJV2pp3Frb8lHe9Z9cD-8KP-d3yxz6F.wnITGa56847z2B9qH1mMMmLu9RTHKxQlKkTSpqEEu6JOJsGMjuLKPbFPR3aQvGyZiJP0W5Hxr7jRN.wKrBU.A,http%3A%2F%2Fwww.tetraph.com > > > poc video: > > http://www.youtube.com/watch?v=GTd1Gkj6OUY&feature=youtu.be > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- Atentamente, Ronny Vasquez IT Security Advisor. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] CVE-2014-1219 - Unauthenticated Privilege Escalation in CA 2E Web Option
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 > Date: Wed, 12 Feb 2014 15:59:34 - > From: "Portcullis Advisories" [snip] > Vulnerability title: Unauthenticated Privilege Escalation in CA > 2E Web Option > > CVE: CVE-2014-1219 > Vendor: CA > Product: 2E Web Option > Affected version: 8.1.2 [snip] CA Technologies is currently investigating a vulnerability report concerning CA 2E Web Option that was published publicly on 2014-02-11 (CVE-2014-1219). This statement can be found at http://blogs.ca.com/securityresponse/2014/02/13/ Note that r8.1.2 reached End of Service (EOS) on April 10, 2013 and is no longer supported. Customers can find the End of Service Announcement, dated April 10, 2012, on the CA Support website. https://support.ca.com/ Thanks and regards, Ken Williams, Director CA Technologies Product Vulnerability Response Team CA Technologies Business Unit Operations ken.willi...@ca.com Copyright (C) 2014 CA. All Rights Reserved. One CA Plaza, Islandia, N.Y. 11749. All other trademarks, trade names, service marks, and logos referenced herein belong to their respective companies. -BEGIN PGP SIGNATURE- Version: Encryption Desktop 10.3.1 (Build 13100) Charset: utf-8 wj8DBQFS/QaPeSWR3+KUGYURApj7AKCX/WOzON/8X9BgbQk4Siz/bDtGBQCeIO8S VrgYM0oZD2rTLdIN0aje5to= =AjzU -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2014:031 ] drupal
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2014:031 http://www.mandriva.com/en/support/security/ ___ Package : drupal Date: February 14, 2014 Affected: Business Server 1.0 ___ Problem Description: Multiple security issues was identified and fixed in drupal: The OpenID module in Drupal 6.x before 6.30 and 7.x before 7.26 allows remote OpenID users to authenticate as other users via unspecified vectors (CVE-2014-1475). The Taxonomy module in Drupal 7.x before 7.26, when upgraded from an earlier version of Drupal, does not properly restrict access to unpublished content, which allows remote authenticated users to obtain sensitive information via a listing page (CVE-2014-1476). The updated packages has been upgraded to the 7.26 version which is unaffected by these security flaws. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1475 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1476 https://drupal.org/SA-CORE-2014-001 ___ Updated Packages: Mandriva Business Server 1/X86_64: 1561765f33c6a67a7b63ecbc783a8e68 mbs1/x86_64/drupal-7.26-1.mbs1.noarch.rpm 5d8bb1fedd2fc2acfe50272dbc57dc50 mbs1/x86_64/drupal-mysql-7.26-1.mbs1.noarch.rpm 6f4d6b410161ef37d36e055b75ac61bf mbs1/x86_64/drupal-postgresql-7.26-1.mbs1.noarch.rpm 614f9cb70cbb955f445bbb3fc77dc819 mbs1/x86_64/drupal-sqlite-7.26-1.mbs1.noarch.rpm 34636e9e6743b2b8e1e3e4c46156eb6c mbs1/SRPMS/drupal-7.26-1.mbs1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFS/g4OmqjQ0CJFipgRAnyuAKCuYKaLOPAPFDMASVzfPls126i77gCgqb64 GSilzcyyvrDTv2pvUEk/ooY= =IgHR -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2014:032 ] flite
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2014:032 http://www.mandriva.com/en/support/security/ ___ Package : flite Date: February 14, 2014 Affected: Business Server 1.0 ___ Problem Description: Multiple vulnerabilities has been discovered and corrected in flite: The play_wave_from_socket function in audio/auserver.c in Flite 1.4 allows local users to modify arbitrary files via a symlink attack on /tmp/awb.wav. NOTE: some of these details are obtained from third party information (CVE-2014-0027). The updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0027 ___ Updated Packages: Mandriva Business Server 1/X86_64: 9ff31a7d8198f78a479e6b61df16e65a mbs1/x86_64/flite-1.3-2.1.mbs1.x86_64.rpm 27f5093dfbae9b8632064a117229a5ff mbs1/x86_64/lib64flite-devel-1.3-2.1.mbs1.x86_64.rpm 1a7c3036c885f25f810cd61a8fef93b8 mbs1/SRPMS/flite-1.3-2.1.mbs1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFS/g7tmqjQ0CJFipgRAlH3AJsEAY9WoBk/6vXfc777bnO/wmfz4wCgkceT ME9lIRmMcBhgbZisJLF9qms= =UWue -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2014:033 ] socat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2014:033 http://www.mandriva.com/en/support/security/ ___ Package : socat Date: February 14, 2014 Affected: Business Server 1.0 ___ Problem Description: A vulnerability has been discovered and corrected in socat: Stack-based buffer overflow in socat 1.3.0.0 through 1.7.2.2 and 2.0.0-b1 through 2.0.0-b6 allows local users to cause a denial of service (segmentation fault) via a long server name in the PROXY-CONNECT address in the command line (CVE-2014-0019). The updated packages have been upgraded to the 1.7.2.3 version which is not vulnerable to this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0019 http://www.dest-unreach.org/socat/contrib/socat-secadv5.txt ___ Updated Packages: Mandriva Business Server 1/X86_64: 556abad28fdb5cc80a15ff69790f4487 mbs1/x86_64/socat-1.7.2.3-1.mbs1.x86_64.rpm 4174e565e7144f2e37712c97163e8292 mbs1/SRPMS/socat-1.7.2.3-1.mbs1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFS/hAYmqjQ0CJFipgRAhMEAKDMEcdwHBt5zIul+3JpAHc0hxIJFwCfaunk ncmqVSK6cQLcTIN5dFoju5Q= =BAB9 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2014:034 ] yaml
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2014:034 http://www.mandriva.com/en/support/security/ ___ Package : yaml Date: February 14, 2014 Affected: Business Server 1.0 ___ Problem Description: A vulnerability has been discovered and corrected in yaml: The yaml_parser_scan_tag_uri function in scanner.c in LibYAML before 0.1.5 performs an incorrect cast, which allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via crafted tags in a YAML document, which triggers a heap-based buffer overflow (CVE-2013-6393). The updated packages have been upgraded to the 0.1.5 version which is not vulnerable to this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6393 https://bitbucket.org/xi/libyaml/commits/tag/0.1.5 ___ Updated Packages: Mandriva Business Server 1/X86_64: 1e4b37eb517ff916bc1a4079fc67644c mbs1/x86_64/lib64yaml0_2-0.1.5-1.mbs1.x86_64.rpm 3ef60ab7c95691aafd2cbba52d04da9e mbs1/x86_64/lib64yaml-devel-0.1.5-1.mbs1.x86_64.rpm 1198a9d1904527bb54428bd0aff0 mbs1/SRPMS/yaml-0.1.5-1.mbs1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFS/hELmqjQ0CJFipgRAn0DAJ9msFRiVQ4jseh/oDdDEtvt3QBXuQCfXMy3 YbR3rskDEyaQwTexrQXgviY= =Y0UW -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
